Streamlining Extraction and Analysis of Android RAM Images

Simon Broenner, Hans Höfken, Marko Schuba

2016

Abstract

The Android operating system powers the majority of the world’s mobile devices and has been becoming increasingly important in day-to-day digital forensics. Therefore, technicians and analysts are in need of reliable methods for extracting and analyzing memory images from live Android systems. This paper takes different existing, extraction methods and derives a universal, reproducible, reliably documented method for both extraction and analysis. In addition the VOLIX II front-end for the Volatility Framework is extended with additional functionality to make the analysis of Android memory images easier for technically non-adept users.

References

  1. Android Developers, Security Tips, [Online], Available: http://developer.android.com/training/articles/securitytips.html [4 Sep 2015].
  2. Android Open Source Project, Encryption, [Online], Available: https://source.android.com/devices/tech/ security/encryption/index.html [4 Sep 2015].
  3. Begun, D., A., 2011, Amazing Android Apps for Dummies, Wiley & Sons.
  4. Caban, D., 2014, Acquiring Linux Memory from a Server Far Far Away, [Online], Available: http://blog. opensecurityresearch.com/2014/05/acquiring-linuxmemory-from-server-far.html [4 Sep 2015].
  5. Case, A., 2012, Phalanx 2 Revealed: Using Volatility to Analyze an Advanced Linux Rootkit, [Online], Available: http://volatility-labs.blogspot.de/2012/10/ phalanx-2- revealed-using-volatility-to.html [4 Sep 2015].
  6. Cinar, O., 2015, Android quick APIs reference, Apress.
  7. Elatov, K., 2015, Recover LUKS Password from Android Phone, [Online], Available: http://elatov.github.io/ 2015/03/recover-luks-password-from-android-phone/ [4 Sep 2015].
  8. Hale, M., 2013a, AndroidMemoryForensics - Instructions on how access and use the Android support, [Online], Available: https://code.google.com/p/volatility/wiki/ AndroidMemoryForensics [4 Sep 2015].
  9. Hale, M., 2013b, LinuxMemoryForensics - Instructions on how to access and use the Linux support, [Online], Available: https://code.google.com/p/volatility/wiki/ LinuxMemoryForensics [4 Sep 2015].
  10. Ligh, M., H., Case, A., Levy J., Walters, A., 2014, The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory, Wiley.
  11. Linux Profiles, 2012, LinuxProfiles - Linux Profile Reference, [Online], Available: https://code.google. com/p/volatility/wiki/LinuxProfiles [4 Sep 2015].
  12. Logen, S., Höfken, H., Schuba, M., 2012, Simplifying RAM Forensics - A GUI and Extensions for the Volatility Framework, Proceedings of 5th International Workshop on Digital Forensics, Prague, Czech Republic.
  13. Luttgens, J., T., Pepe, M., Mandia, K, 2014, Incident Response & Computer Forensics, 3rd edition, McGraw-Hill Education.
  14. Müller, T., Spreitzenbarth, M., 2013, FROST - Forensic Recovery of Scrambled Telephones, in Applied Cryptography and Network Security, 2013, Eds. Jacobson, M., Locasto, M., Mohassel, P., Safavi-Naini, R., Springer.
  15. Pomeranz, H., 2014, Linux Memory Grabber - A script for dumping Linux memory and creating Volatility(TM) profiles, [Online], Available: https://github.com/halpo meranz/lmg/blob/master/README [4 Sep 2015].
  16. Pryor, K., 2013, Volatility Linux Profiles, [Online], Available: http://digiforensics.blogspot.de/2013/12/ volatility-linux-profiles.html [4 Sep 2015].
  17. Raman, S., 2014, Installing Linux Profile in Volatility, [Online], Available: https://shankaraman.wordpress. com/2014/05/23/installing-linux-profile-in-volatility/ [4 Sep 2015].
  18. Sylve, J., T., 2011, Android Memory Capture and Applications for Security and Privacy, M.S. Thesis, University of New Orleans, New Orleans.
  19. Sylve, J., T, 2015, LiME Linux Memory Extractor, [Online], Available: https://github.com/504ensicsLabs /LiME/blob/master/README.md [4 Sep 2015].
  20. Tilbury, C., 2013, Getting Started with Linux Memory Forensics, [Online], Available: http://forensicmethods. com/linux-memory-forensics [4 Sep 2015].
  21. VOLIX II, 2014, Volatility Interface and Extensions, [Online], Available: http://www.it-forensik.fhaachen.de/projekte/volixe, [4 Sep 2015].
Download


Paper Citation


in Harvard Style

Broenner S., Höfken H. and Schuba M. (2016). Streamlining Extraction and Analysis of Android RAM Images . In Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-167-0, pages 255-264. DOI: 10.5220/0005652802550264


in Bibtex Style

@conference{icissp16,
author={Simon Broenner and Hans Höfken and Marko Schuba},
title={Streamlining Extraction and Analysis of Android RAM Images},
booktitle={Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2016},
pages={255-264},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005652802550264},
isbn={978-989-758-167-0},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Streamlining Extraction and Analysis of Android RAM Images
SN - 978-989-758-167-0
AU - Broenner S.
AU - Höfken H.
AU - Schuba M.
PY - 2016
SP - 255
EP - 264
DO - 10.5220/0005652802550264